Standard for Encryption Controls

I. PURPOSE

The purpose of this standard is to ensure that efforts to keep university resources secure using encryption controls are conducted in a manner which preserves the confidentiality, integrity, and authenticity of the information.

II. SCOPE

This standard is applicable to university faculty, staff, and other authorized users who access university owned or maintained data.

III. CONTACTS

Direct any general questions about this standard to your department’s administrative office. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV. STANDARD

Encryption can be a very effective security measure that protects data stored on a university computer if the device is lost or stolen.  Due to their mobility, laptops present a greater potential for data loss. Therefore, university laptops should be encrypted with the centrally managed full disk encryption solution.

One of the challenges of encryption is the management of keys or passwords used to unlock the drive.  The inability for authorized personnel to access encrypted data can result in the loss of university resources. For this reason, any encryption involving university owned or maintained data or resources needs to use the centrally managed solution.

Some situations involving contractually protected research data or certain operating systems may prohibit the central storage of encryption keys.  In these scenarios, an alternate encryption solution, with the encryption keys managed by the area Data Security Officer, may be considered.  This solution must be reviewed by the ITS Information Security Compliance department.

NOTE:  Full disk encryption is not a substitute for other protection controls including the proper handling of sensitive or confidential university information as outlined in the Standard for Information Classification and Guideline for Data Handling.

RELATED RESOURCES

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initial Draft   4/04/17
Information Assurance Committee Approval   5/19/2017